Despite being a key application that we use every day, WhatsApp is far from perfect. We can overlook some functions that its competitors have, aware that sooner or later they will arrive, but when the problems are security, things are much more alarming.
Broadly speaking, what has been discovered is that anyone who knows your WhatsApp number, without having to be your contact, can determine if you are only using the mobile application, or its web or desktop applications, which allows you to obtain data with which you can locate where you can be at all times.
The serious problem of WhatsApp
It has been discovered that the messaging application used by more than 30 million users in Spain has a serious cybersecurity hole. The discovery is made by Israeli security researcher Tal Be’ery, who has discovered that WhatsApp leaks identity information from the end-to-end encryption of victims’ devices (mobile device + up to 4 linked devices) to any user, for example. default, and even if it is blocked and not in contacts.
Monitoring the identity information of these devices linked to a user over time can allow potential attackers to collect useful and valuable information about the configuration of their victims’ devices and their changes (device replaced, added or removed).
According to this researcher, currently nothing prevents the most advanced cyber attackers, or any type of stalker, from spying on their victims and receiving alerts about new devices they have and new attack opportunities. For example, they would have advanced information about when they are using the mobile version, which could indicate when they are away from home and when they switch to using the web or desktop version, indicating that they are already at home.
A risk to privacy
Tal Be’ery’s findings, as he himself has shared on social network X, have been reported to Meta. However, the company run by Mark Zuckerberg does not seem to have been too alert regarding this security hole. In fact, his response was that it works as designed.
Tal Be’ery
@TalBeerySec
5/ I had reported to @Meta @WhatsApp and their response was that it works as designed.
They are right, but their design is wrong. https://t.co/mpX1r3HlOTJanuary 18, 2024 • 15:04
5
1
One of the solutions that this security researcher sees possible would be for at least the application to allow users not to expose these details to users who are not in their contact list (as they do with other functions such as profile photo, last seen online, etc.). He even considers that, if taken to the extreme, non-contacts should not even know if you have WhatsApp installed.
However, it seems that the company insists that its design and this security breach are not that serious. Meta spokesperson Zade Alsawah told TechCrunch that the company received Be’ery’s research and concluded that the current design of the app is just what users want and expect. “Before, the phone had to be online to receive messages and that presented significant limitations for people. With multiple devices, users can send and receive their personal messages across devices privately with end-to-end encryption, and that is the direction we will continue to take,” Alsawah said in his statement.
